Geek Answers Handbook

WCF - How to encrypt messages?

My WCF service includes data transfer (in CSV format) of data between the client and the service. This data set must be encrypted so that the data cannot be intercepted. I am using wshttpbinding and trying to encrypt the message using the following settings in web.config:

<wsHttpBinding> <binding name="wsHttp"> <reliableSession enabled="true" /> <security mode="Message"> <message clientCredentialType="UserName" algorithmSuite="TripleDes" /> </security> </binding> </wsHttpBinding>

When I try to create a client proxy, I get a message with a long error message (which cannot be completely read because it comes out of the bottom of the screen!). The error message mentions something that says "service certificate is not provided."

How to encrypt a message? Do I need a certificate? I should mention that this service will be used over the Internet from different domains, so I'm not sure if using "Username" security is the best option (?)

I'm mostly confused!

+6
wcf
source share
3 answers

Yes, your service needs a certificate so that your encryption keys can be exchanged securely. You can create a test service verification certificate using makecert.exe. See this blog post for more on this.

You also need to make sure your service account is running, as it can read the certificate private key file. If you use Windows Vista (or a later version), the Certificates snap-in of the MMC allows you to manage permissions for this private key, but for earlier versions of Windows it is a bit more complicated. I used the utility that came with WSE3, but someone else could suggest a more direct path. If your service works as an administrator, you will most likely have to configure these permissions.

Update: like all good things, my blog has come to an end. Thanks makerofthings7 for reminding me. The makecert command needed to create a service authentication certificate looks something like this:

 makecert -sr LocalMachine -ss My -pe -n CN=subject-name -eku 1.3.6.1.5.5.7.3.1 -sky exchange

... just replace the subject name with any certificate name that makes sense for your service.

+4
source share

@Martin is right, you need a certificate on the server. This link provides a good overview of the message flow for message-based security and provides sample code. This link provides a good overview of working with certificates.

For your authentication requirements, this link reviews the various options available. If you're new to WCF, Learning WCF: The Michele Bustamante How-To Guide is a good book and covers message-based security.

+4
source share

I am still trying to find a solution to this problem. I have one too, but with xml signing. To find the user, IIS runs in WinXP Start> Right-Click My Computer> Manage> Services and Applications> Services> IIS Admin> Double-click, and on the Log on tab it usually says Local System.

EDIT

Ok, this is how I solved my problem. I had evidence that I used this article to make a certificate. If the project is an ASPWebSite that is saved in your C folder, you may not have a problem with this. But if you save it in IIS as an HTTP project, then you will have problems.

The way to solve it after weeks of investigation is not so difficult. Microsoft has something called a web services enhancement that you will download last, but I use the second with the latest service pack. When I installed, I turned on everything.

Certificates may be in a physical file, but they are usually located in the certificate management store to use the X509 tool tool for the tool in WSE 2.0. Here, open your certificate, look for it in different sections until you find it. Then open it, and at the bottom there will be a view of the secret key, on the security tab add LOCALHOST \ ASPNET. And that should allow your website to read the certificate.

In short, what happens when you create public and private keys, although you can just see the private key, it really sends Timbuktu to the file system and you need to find it to add an ASPNET account for read access. I read than in Vista, it is much easier, but I use XP.

+1
source share

More articles:


All Articles